Chapter 6. Own Your Role as a Threat Modeling Champion
You can’t make people listen to you. You can’t make them execute. That might be a temporary solution for a simple task. But to implement real change, to drive people to accomplish something truly complex or difficult or dangerous—you can’t make people do those things. You have to lead them.
Jocko Willink
In this chapter, we provide answers to common questions, and approach angles and details that didn’t fit in the previous chapters. We use a Q&A style to address some of the questions we get on a daily basis. These questions come to us from all sides: the development teams we work with, our immediate management or theirs; peers both experienced and novice; and sometimes, ourselves. We hope they will give you some more thinking points to address what it means to be a threat modeler, a security practitioner, and a leader for change.
How Do I Get Leadership On-Board with Threat Modeling?
Q: Our team’s leadership is not fully on-board with the value of threat modeling. They don’t see the benefit of having this capability or making the investment necessary to build it out. Are there things that I (as the security champion or expert) can do to help facilitate this conversation and gain their buy-in?
A: Remind them of what happens if they don’t. Leadership may not appreciate the impact that threat modeling can have on the security and/or quality of your system.
You can try to use two main arguments that do not depend on “the experts ...
Get Threat Modeling now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
